Analysis
-
max time kernel
15s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
26-08-2021 08:15
Static task
static1
Behavioral task
behavioral1
Sample
b41347dd_eavIdGqZjF.dll
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
b41347dd_eavIdGqZjF.dll
-
Size
1.1MB
-
MD5
b41347dd6f333c3d117fa5cdd8c99f03
-
SHA1
83fcb636b37bc9aa3767ab3b95a2eb8482eea360
-
SHA256
b46e4d49f8b5060174e8559dc3a8e34f3cea5896666ea95afab91ab258d9fbfc
-
SHA512
598b1afd5fd893e75ed4d5bceb9ef4354bf2e8868161d309dedb806d66611b00342fdfa52a145d300d2fdfd491fdfd5dc3fd188fe18a1b6dfb3a180b4143be0a
Malware Config
Signatures
-
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\MenuText = "McAfee WebAdvisor" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Lang0412 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Lang0804\MenuText = "迈克菲联网顾问" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\@ = "WebAdvisor Menu" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\ButtonText = "McAfee WebAdvisor" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\CLSID = "{32CFFBE7-8BB7-4BC3-83D8-8197671920D6}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Icon regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\MenuStatusBar = "MStatus bar View SiteReport" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Lang0804\ButtonText = "迈克菲联网顾问" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Default Visible = "Yes" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Lang0411 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Lang0411\ButtonText = "マカフィー ウェブアドバイザー" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\CLSIDExtension = "{29B24532-6CE1-41BA-8BF0-F580EA174AF1}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\HotIcon regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Lang0411\MenuText = "マカフィー ウェブアドバイザー" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Lang0412\MenuText = "McAfee 웹어드바이저" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Lang0412\ButtonText = "McAfee 웹어드바이저" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Lang0804 regsvr32.exe -
Modifies registry class 12 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{29B24532-6CE1-41BA-8BF0-F580EA174AF1} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{29B24532-6CE1-41BA-8BF0-F580EA174AF1}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{29B24532-6CE1-41BA-8BF0-F580EA174AF1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b41347dd_eavIdGqZjF.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\ = "McAfee WebAdvisor" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\Implemented Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{29B24532-6CE1-41BA-8BF0-F580EA174AF1}\ = "McAfee WebAdvisor Extension" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{29B24532-6CE1-41BA-8BF0-F580EA174AF1}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b41347dd_eavIdGqZjF.dll" regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 3908 wrote to memory of 1056 3908 regsvr32.exe regsvr32.exe PID 3908 wrote to memory of 1056 3908 regsvr32.exe regsvr32.exe PID 3908 wrote to memory of 1056 3908 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\b41347dd_eavIdGqZjF.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\b41347dd_eavIdGqZjF.dll2⤵
- Modifies Internet Explorer settings
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1056-114-0x0000000000000000-mapping.dmp